vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Hide expired keys outside of their staleness window

Browse source
This commit is contained in:
Joseph Schorr 2016-04-27 17:44:59 -04:00 committed by Jimmy Zelinskie
parent a55e92bc95
commit 6091db983b
4 changed files with 37 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

16
data/model/service_keys.py
View file

@ -20,11 +20,12 @@ def _expired_keys_clause(service):
return ((ServiceKey.service == service) &
(ServiceKey.expiration_date <= datetime.utcnow()))
def _stale_expired_keys_clause(service):
expired_ttl = timedelta(seconds=config.app_config['EXPIRED_SERVICE_KEY_TTL_SEC'])
return ((ServiceKey.service == service) &
(ServiceKey.expiration_date <= (datetime.utcnow() - expired_ttl)))
def _stale_expired_keys_service_clause(service):
return ((ServiceKey.service == service) & _stale_expired_keys_clause())
def _stale_expired_keys_clause():
expired_ttl = timedelta(seconds=config.app_config['EXPIRED_SERVICE_KEY_TTL_SEC'])
return (ServiceKey.expiration_date <= (datetime.utcnow() - expired_ttl))
def _stale_unapproved_keys_clause(service):
unapproved_ttl = timedelta(seconds=config.app_config['UNAPPROVED_SERVICE_KEY_TTL_SEC'])
@ -34,7 +35,7 @@ def _stale_unapproved_keys_clause(service):
def _gc_expired(service):
ServiceKey.delete().where(_stale_expired_keys_clause(service) |
ServiceKey.delete().where(_stale_expired_keys_service_clause(service) |
_stale_unapproved_keys_clause(service)).execute()
@ -64,12 +65,12 @@ def _notify_superusers(key):
def create_service_key(name, kid, service, jwk, metadata, expiration_date, rotation_duration=None):
_verify_service_name(service)
_gc_expired(service)
key = ServiceKey.create(name=name, kid=kid, service=service, jwk=jwk, metadata=metadata,
expiration_date=expiration_date, rotation_duration=rotation_duration)
_notify_superusers(key)
_gc_expired(service)
return key
@ -155,9 +156,9 @@ def approve_service_key(kid, approver, approval_type, notes=''):
raise ServiceKeyDoesNotExist
delete_all_notifications_by_path_prefix('/service_key_approval/{0}'.format(kid))
_gc_expired(key.service)
return key
def _list_service_keys_query(kid=None, service=None, approved_only=False):
query = ServiceKey.select().join(ServiceKeyApproval, JOIN_LEFT_OUTER)
@ -172,6 +173,7 @@ def _list_service_keys_query(kid=None, service=None, approved_only=False):
if kid is not None:
query = query.where(ServiceKey.kid == kid)
query = query.where(~(_stale_expired_keys_clause()) | (ServiceKey.expiration_date >> None))
return query